Skip to content
My AccountCart

Esko CVD Rules

To encourage proper responsible disclosure, Esko asks that you comply with the following responsible coordinated vulnerability disclosure rules:

  • Do not break international, federal or local laws or regulations.
  • Report the vulnerability upon discovery or as soon as is feasible
  • Do not try to gain access to accounts or any data that is not yours
  • Contact us immediately if you do inadvertently encounter user data that is not yours.
  • Do not view, alter, save, store, transfer, or otherwise access the data.
  • Do not perform any activity that would be disruptive, damaging, or harmful to Esko or its users
  • Do not perform social engineering attacks against Esko employees
  • Do not perform physical attacks on Esko’s infrastructure or facilities
  • Always use accounts, email addresses, phone numbers that you own for testing Esko products / assets and only interact with accounts you own
  • Do not contact any of Esko product support about the status or decision of a vulnerability report
  • Treat a vulnerability report and any vulnerability as confidential information and do not divulge to any third person (except disclosure to Esko) any information until public disclosure is mutually agreed upon with Esko.
    • Do not apply the following actions:
    • Install malware (virus, worm, trojan horse, ransomware, etc.).
    • Make changes to the system.
    • Repeatedly access the system
    • Share access with others.
  • Give Esko reasonable time to respond to the issue before making any information about it public.

Esko will not pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of these Esko CVD rules. Failure to comply with these Esko CVD rules will result in immediate disqualification from the Esko CVD process and forfeiture of any rewards.


  • All Esko branded products and applications listed on,, and

CVD Exclusions

  • Unvalidated findings from automated tools or scans
  • Missing any global security practice that is not a vulnerability
  • “Back” button that keeps working after logout
  • Username or email address enumeration
  • Missing cookie flags on non-sensitive cookies
  • Missing security headers that do not lead directly to a vulnerability
  • Issues that do not affect the latest version of modern browsers or platforms
  • Attacks that require physical access to a user device
  • Hosting malware/arbitrary content on Esko and causing downloads
  • Social engineering
  • Email bombing
  • Ability to upload/download executables
  • HTML injection
  • CSV injection
  • Logout or unauthenticated CSRF
  • Self XSS
  • XSS vulnerabilities on sandbox aka user-content domains
  • Invalid or missing SPF/DKIM/DMARC records
  • Bypassing pricing/paid feature restrictions
  • Clickjacking in unauthenticated pages or in pages with no significant state-changing action
  • Use of a known-vulnerable library (without evidence of exploitability)
  • Low-impact descriptive error pages and information disclosures without any sensitive information
  • Password and account policies, such as (but not limited to) reset link expiration or password complexity
  • Non-critical issues on
  • Missing rate limitations on endpoints (without any security concerns)
  • Presence of EXIF information in file uploads
  • 0-day vulnerabilities in any third parties Esko uses within 10 days of their disclosure
  • Any other issues determined to be of low or negligible security impact

You can still report if you encounter any of the cases in this list that have a significant security impact, and Esko may acknowledge your contribution.